Comparative Analysis of BBBOnline Draft Code of Online Business Practices with Other Consumer ECommerce Codes and Standards
Public Interest Advocacy Centre
1204 – 1 Nicholas St.
Ottawa, Ontario K1N 7B7
TABLE OF CONTENTS
II. COMPREHENSIVENESS OF BBBONLINE DRAFT CODE
III. COMPREHENSIVENESS OF OTHER CODES AND STANDARDS RELATIVE TO THE BBBONLINE DRAFT CODE
IV. FORMAT/STRUCTURE OF BBBONLINE DRAFT CODE
V. FORMAT/STRUCTURE OF OTHER CODES
VI. ADEQUACY OF BBBONLINE DRAFT CODE PROVISIONS
1. Information Disclosure
2. Misleading/Deceptive Practices
3. Online Contract Formation/Cancellation
4. Contract Fulfilment/Return Policy
5. Consumer Privacy (Data Protection)
6. Transactional Security
7. Consumer Redress
8. Unsolicited Commercial Email
9. Protection of Children
10. Compliance Assessment and Oversight
APPENDIX A: OUTLINE OF SELECTED CODES AND STANDARDS
APPENDIX B: COMPONENTS OF A CONSUMER ECOMMERCE STANDARD
The following report examines the current draft “Code of Online Business Practices” developed by BBBOnline,(1) and analyses its practicability and rigour from a consumer perspective, in comparison with other existing codes and standards on consumer ecommerce. The conclusion of the comparative analysis is that the draft BBBOnline Code is strong in some respects but weak in others. The Code is particularly strong in the areas of information disclosure, misleading and deceptive practices, and the protection of children. It is particularly weak, however, in the areas of consumer privacy and redress. Depending on how each of these components is valued, the BBBCode may be considered adequate or inadequate. It is certainly superior to many other codes and seal programs currently offered in the marketplace, but is clearly deficient in some key respects.
The author reviewed a number of Codes and Standards (see Appendix A) in order to develop a list of possible components of a consumer ecommerce standard (See Appendix B). This list is divided into the following categories:
- Information Disclosure
- No Misleading/Deceptive Practices
- Online Contract Formation/Cancellation
- Contract Fulfilment/Return Policy
- Consumer Privacy (Data Protection)
- Transactional Security
- Consumer Redress
- Unsolicited Commercial Email
- Protection of Children
- Compliance Assessment
The BBBOnline draft Code was then judged against this list in order to determine its comprehensiveness, both absolutely and relative to other Codes and Standards. The terms of the BBBOnline draft Code were then assessed for adequacy and rigour, under the general headings above. In each case, the adequacy of the BBBOnline Code was assessed both absolutely and relative to other Codes and Standards.
In general, the documents examined fall into three categories, which we have termed “standards”, “seal programs”, and a “seal of seals” or “umbrella code”.
- Standards set out a list of requirements, but have no compliance mechanism attached to them, no “seal” to place on the business’s website, no registration system, and no oversight body or “code owner”. (Such mechanisms may be attached to formal standards, but are not necessarily so.)
- Seal programs, on the other hand, couple a list of requirements with a seal and registration system administered by the “code owner”, and usually also include a compliance mechanism also administered by the “code owner”.
- A “seal of seals” legitimizes and certifies seal programs according to its own code of practice, and therefore involves all of the same components as a seal program, with additional requirements for “code owners”.
The BBBCode, as presented, is in the nature of a standard, lacking any particular compliance mechanism or seal. BBBOnline states the draft Code “is designed to guide ethical business conduct in electronic commerce”, and goes on to “encourage broad compliance with this voluntary Code”, stating: “We encourage all online businesses to adopt these guidelines.” Thus, it appears that the Code will not be accompanied by a separate seal, and that businesses may simply self-declare their adherence to the Code. This raises concerns from a consumer perspective, since association of the Code with BBB may suggest a level of oversight that does not exist.
However, BBBOnline also indicates that it intends to apply this new Code of Practice to its existing “Reliability” seal program: “Our BBBOnline Reliability participants are expected to adhere to these guidelines.” In this context, the Code would then become part of a seal program, with the associated mechanisms for consumer redress and subscriber compliance.(2) In this context, some of the draft Code’s deficiencies would be corrected, but gaps would still remain in the areas identified above.
BBBOnline also administers another Code of Practice, focused on consumer privacy: the BBBOnline Privacy Seal is a separate program, with a much more detailed set of privacy requirements than those set out in the draft Code examined.(3) It is unclear why BBBOnline sees fit to accept data protection practices under its Reliability Seal that are of a lower standard than those required under its Privacy Seal.
The following codes, seals, and standards were examined in the research underlying this report:
Canadian Principles of Consumer Protection for Electronic Commerce
CSA International Privacy Standard (part of Canadian Principles)
OECD Consumer Protection Guidelines for E-Commerce
Australian Complaints Handling Standard (AS/NZS 4269)
British Standard on Information Security Management (BS 7799-2)
Ziff-Davis “The Standard for Internet Commerce”
Better Internet Bureau
Better Cyber Bureau (Safengine)
Seal of Seals
II. COMPREHENSIVENESS OF BBBONLINE DRAFT CODE
The BBBOnline draft Code (“BBBCode”) covers all relevant topics, but is more comprehensive in some areas than in others. Its rules regarding information disclosure, misleading or deceptive business practices, contract formation/cancellation, contract fulfilment, and protection of children are highly comprehensive; BBBOnline scores top marks here. Many of the BBBCode provisions in these areas were found in no other code. Indeed, the BBBCode deserves special mention for its relatively comprehensive prohibitions in the area of misleading and deceptive practices, as well as information disclosure. The only gaps noticed in these areas are minor, and mitigated by other requirements – they involve:
- the tentative nature of the proposed clause requiring online businesses to disclose “any health, safety, nutrition or other package warnings for those transactions if those warnings are required to appear on the good or service packaging” (A note following this clause expresses concern that it may be too burdensome for businesses.)
- there is no clause requiring certain information to be provided with tangible goods at the time of delivery. However, all relevant information is to be provided on the website.
- there is no rule specifically requiring the business to promptly correct any mistakes in billing, payment, or receipts. However, there is a general rule that al commitments and representations be honoured, and that good faith efforts be made to resolve any disputes to the consumer’s satisfaction.
The BBBCode is less comprehensive, however, when it comes to consumer privacy, redress and transactional security. While each of these areas is addressed, large gaps remain. In particular,
- there is no rule requiring the clear identification of unsolicited commercial email as such (however, the Code does require businesses to offer an “opt-out” option, and to respect the consumer’s preference regarding unsolicited commercial email);
- the rule regarding security is brief and general, seems to focus on confidentiality of transactional information, and does not clearly cover issues concerning authenticity and integrity;
- the rules regarding consumer privacy fail to limit collection, use or disclosure (other than to third parties for marketing purposes), fail to limit retention (other than when the transaction is not completed), and fail to establish any individual access rights, redress rights, or compliance/accountability standards. Instead, they focus almost exclusively on disclosure;
- there is no rule establishing business responsibility for unauthorized transactions;
- businesses are not required to have a returns policy, or to refund the consumer in appropriate circumstances;
- the rules regarding complaints handling and dispute resolution are extremely brief and general, which is surprising given the BBB’s long history of expertise in this area. In particular, all that the draft code currently requires with regard to dispute resolution where the complaint cannot be resolved internally is that “additional means” be provided to satisfy the consumer, which “means” may or may not include third party dispute resolution (they could instead be refunds, insurance policies, escrow services, or chargeback mechanisms). It should be noted, however, that BBBOnline highlights the tentative nature of this approach and has invited feedback on it.
In summary, the BBBCode covers all major areas of consumer concern in ecommerce, but does so with varying degrees of comprehensiveness. Areas well covered include information disclosure, fair business practices, contract formation and fulfilment, and special protection for children. Areas not so well covered include consumer privacy and consumer redress.
Interestingly, privacy and redress are areas in which BBBOnline offers separate programs, with separate codes and compliance mechanisms: businesses who subscribe to the BBBOnline Reliability program must pledge to offer dispute resolution through the BBB or another dispute resolution provider that meets BBB standards (which involve a long and detailed set of rules to ensure due process); and businesses who subscribe to the BBBOnline Privacy Seal must adhere to a set of rules regarding consumer privacy, as well as a special dispute resolution process for privacy complaints. While a detailed review of these two BBB programs is beyond the scope of this report, we have briefly addressed the adequacy of the Privacy Seal requirements under section VI, part 5, below, and of the dispute resolution mechanism associated with the Reliability Seal under section VI, part 7, below.
To the extent that the new Code will form part of the BBBOnline Reliability Seal requirements, it is appropriate that we examine those requirements as well. In order to use the BBBOnline Reliability Seal, companies are required to:
- Become a member of the appropriate local Better Business Bureau;
- Provide the BBB with information regarding company ownership and management and the street address and telephone number at which they do business, which will be verified by the BBB in a visit to the company’s physical premises;
- Be in business a minimum of one year (with limited exceptions);
- Have a satisfactory complaint handling record with the BBB;
- Agree to participate in the BBB’s advertising self-regulation program, and correct or withdraw online advertising when challenged by the BBB and found not to be substantiated or not in compliance with our children’s advertising guidelines;
- Respond promptly to all consumer complaints; and
- Agree to dispute resolution, at the consumer’s request, for unresolved disputes involving consumer products or services advertised or promoted online.
The BBB’s initial onsite verification, ongoing monitoring of complaints, advertising self-regulation program, and dispute resolution mechanism are all valuable components of its seal program, and if added to the draft Code, will substantially improve on its provisions for consumer redress and compliance assessment. In particular, the requirement for a physical onsite inspection of online businesses by BBB officers is unique and adds significantly to the value of the BBBOnline seal. We have, however, reviewed the draft Code as a stand-alone document, since BBBOnline is promoting it as such.
III. COMPREHENSIVENESS OF OTHER CODES AND STANDARDS RELATIVE TO BBBONLINE DRAFT CODE
Compared to the BBBCode, the Canadian Principles (and incorporated CSA Privacy Code) are more comprehensive in the areas of consumer privacy, returns policy, and, to some extent, dispute resolution, but less comprehensive in the areas of misleading/deceptive business practices, contract fulfilment, and, to a lesser extent, information disclosure. Protection of children is not addressed at all in the Canadian Principles or CSA Standard.
The Ziff-Davis Standard is far less comprehensive than the BBBCode, both in an overall sense (areas covered) and by topic. It provides no guidance at all on contract formation/cancellation, unsolicited commercial email, protection of children, or dispute resolution, almost none in the area of misleading/deceptive business practices and very little on internal complaints handling. Its rules on consumer privacy are as weak or weaker than those of BBBOnline.
Clearly, the Australian Complaints Handling Standard is highly comprehensive in the area of complaints handling, and the British Standard on Information Security Management similarly in the area of security. None of the general ecommerce standards or codes examined would be expected to match the comprehensiveness of these specific standards in the areas they cover.
TrustUK, the “seal of seals” program, has a list of accreditation criteria which is the most comprehensive of all other codes examined. It covers all areas other than online contract formation/cancellation, and like the BBBCode, includes a strong section aimed at protecting children. Its rules on consumer privacy, redress, and transactional security are significantly more detailed and comprehensive than those of the BBBCode. Indeed, its rules on security are much more comprehensive than any of the other codes examined: it recommends use of the highly detailed BSI Standard on information security management, in addition to requiring adherence to a number of specific security-related rules. While not as comprehensive as the BBBCode in the areas of information disclosure, misleading/deceptive business practices, it is generally more so than most other codes.
The WebTrader Code addresses most areas, but fails to address contract formation/cancellation (other than cancellation rights where the price changes) and provides no rules regarding the protection of children. It is most comprehensive in the area of complaints resolution, and, by linking to other Codes and Statutes, in the areas of misleading/deceptive practices (advertising and sales promotion) and data protection. It is much less comprehensive in the areas of information disclosure, contract fulfilment, unsolicited commercial email, and dispute resolution.
The WebTrust Code is difficult to compare because it takes a completely different approach to consumer protection, focussing almost exclusively on disclosure and internal controls, rather than end-results from the consumer perspective. It thus provides a completely different type and level of detail from most of the other codes and standards considered. For example, on information disclosure, instead of providing a comprehensive listing of specific disclosures that must be made, it offers a general statement with examples. Areas that it fails to cover include misleading/deceptive business practices, unsolicited commercial email, dispute resolution, and the protection of children. Contract formation, consumer privacy, complaints handling and dispute resolution are only partially addressed. More thoroughly covered are the areas of contract fulfilment and transactional security.
TRUSTe does not purport to cover more than consumer privacy. On this issue, however, it is not as comprehensive as some other codes which deal with more than data protection – it is similar to the BBBCode in this respect. TRUSTe’s code, however, does require use of a particular dispute resolution process for consumer privacy complaints, and in this respect provides more than does the BBBCode.
The Better Internet Business Code is not at all comprehensive, and is markedly less so than the BBBCode. It addresses only four relevant issues, and in each case doing so exceedingly briefly, as follows: no “unlawful acts”, no “misleading or deceitful statements”, no “spam”, and a minimum 30 day refund on items sold on the Internet. It requires nothing in terms of information disclosure, contract formation/cancellation, contract fulfilment, consumer privacy, transactional security, complaints handling, dispute resolution, or children. In contrast, the BIB seal is remarkably sophisticated and suggests far more than the Code actually delivers. In addition to the words “Better Internet Bureau”, the seal states “Certified Quality Site”. Not only is this misleading in and of itself, but it clearly takes advantage of the goodwill generated by the Better Business Bureau and may well violate the BBB’s trademark rights.
The Better Cyber Bureau (“Safengine”) Code is similarly superficial, addressing only transactional security, contract formation, and consumer complaints handling/dispute resolution, and in each case doing so less than comprehensively. While the Safengine Seal is significantly different from other seals, it again suggests more than it delivers, and therefore may generate unwarranted consumer trust.
IV. FORMAT/STRUCTURE OF BBBONLINE DRAFT CODE
As the above analysis indicates, the BBBCode is relatively comprehensive in its coverage of consumer issues in ecommerce. However, the value of this comprehensiveness is diminished to some extent by the structure of the draft code: the subject matter of the five Principles is not 100% clear from the titles, and not all relevant rules are provided in the section where one might expect them to appear. For example, a number of disclosure requirements are set out in other sections (e.g., disclosure of safety warnings is found under Principle 2, which addresses misleading/deceptive practices, rather than Principle 1 which addresses information disclosure; disclosure of the entity conducting compliance reviews is found under “Compliance” rather than Principle 1; provision of clear billing information is found under Principle 4 but not Principle 1; the rule re: limiting retention of consumer information is set out under Principle 4 “Aim to Please!”, instead of Principle 3 “Have Respectful Information Practices!”).
Thus, it is essential for someone trying to determine the Code’s requirements in any particular area to review the entire Code. While this is not a herculean task (since the Code is not long, is drafted in fairly concise language, and uses subheadings to advantage), it would be more helpful to cross-reference those provisions that logically fall under more than one heading.
Moreover, it is not always clear whether a given requirement applies only to the subject-matter of the subheading under which it appears, or more generally to the subject-matter of the entire Principle. For example, the following clause appears under Principle 1, subheading “Information about the Online Transaction Itself”: “When online businesses provide consumers with the ability to conduct a transaction in more than one language, they must assure that all material information appears in all the languages provided.” It is not clear whether “material information” is limited to “information about the transaction itself”, or applies to all information, including that relating to the business and the goods and services offered.
The BBBCode is divided into six sections, as follows:
Principle 1: Disclose! Disclose! Disclose! Principle 2: Tell the Whole Truth and Nothing but the Truth! Principle 3: Have Respectful Information Practices! Principle 4: Aim to Please!Principle 5: Take Special Care with Children!
It is not clear why Compliance is not presented as a Principle, especially in light of its stated importance (“Failure to properly identify the compliance review entity shall be considered a violation of the Code.”).
Under Principle 1, BBB provides most of the information disclosure requirements (however, as noted above, many appear in other sections). These requirements are categorized by type (e.g., about the business, about goods and services offered, about the transaction itself), rather than by the stage at which they must be made (e.g., to all consumers accessing the website, vs. to consumers on verge of making transaction, vs. to customers after transaction made). This is not necessarily a drawback, as long as BBB sets out in each case the minimum requirement in terms of timeliness of the disclosure. Our review indicates that such is usually but not always the case. Similarly, BBB repeats the general information requirements of clarity, conspicuousness, etc. with each disclosure requirement rather than setting the general requirements out up front, as we have done in Appendix B. The risk of the BBB approach is that failure to specify the general and/or timeliness requirements with respect to a specific disclosure rule may significantly weaken that rule.
Clearly, BBBOnline is attempting through its catchy titles not only to attract the attention of readers, but to put a positive light on the requirements of the code. The downside of this approach is that it may obscure the actual content of the provisions.
We also note that the BBBCode sets out a summary listing of the five Principles up front, before launching into the detailed requirements of each. While readers can be expected to appreciate that the Code involves more than this summary, there is a risk of misinterpretation unless the summary is clearly identified as such. In comparison, the Canadian Principles note as follows with their summary: “This summary must be read in conjunction with the full text of the principles, which follows.”
Also potentially prone to misinterpretation is the infrequent use by BBBOnline of the term “should” (and in one case, the term “can”) in a document that otherwise uses the terms “shall” and “must” throughout. While it may seem clear that in such a context, the use of “should” clearly indicates an intention to recommend rather than demand, such intention is not otherwise brought to the attention of the reader. All but the most careful readers may fail to notice the “should” statements, and may thus assume incorrectly that they represent requirements. In contrast, the Ziff-Davis Standard clearly indicates which of its provisions constitute minimum standards, and which constitute best practices. In keeping with its own principles of clarity and disclosure, BBBOnline should highlight any non-binding clauses in its Code.
Finally, the BBBCode provisions are not (yet) numbered, unlike those of other codes. This lack of numbering makes it difficult to refer to specific sections, and may make the code more difficult to read.
V. FORMAT/STRUCTURE OF OTHER CODES
The structure and format of other general consumer ecommerce codes reflects both the perspective of the drafters, and the target audience. For example, the Canadian Principles and OECD Guidelines identify discrete subject areas more on the basis of law and government policy, reflecting the perspective of their drafters and the needs of OECD members. Unlike the BBBCode, section headings provide no directives in and of themselves; they simply identify the subject area.
The format of the CICA WebTrust Code, on the other hand, reflects a preoccupation of accountants with internal company controls aimed at providing “reasonable assurance” that certain results will be achieved. Thus, instead of setting out a comprehensive list of required results, the WebTrust Code focuses on execution of transactions in accordance with disclosed business practices, effective operational controls, and monitoring of those controls. This Code is divided into three sections, titled “Business Practice Disclosure”, “Transaction Integrity”, and “Information Protection”. Because of the generality of these headings, and the lack of sub-headings, it can be difficult to pinpoint a particular clause. This structure may make sense to accountants and possibly some businesses, but it is not “consumer-friendly”, and is likely to be difficult for small businesses to easily understand and adopt.
The format of the Ziff-Davis Standard is once again distinct, with clauses covering scope, purpose, and uses of the Standard, as well as conformance and definitions/terminology. The Z-D Standard requires such clarification because of its requirement for an “Information Centre”, and its inclusion of best practices as well as minimum standards in the standard. Another interesting approach taken by the Z-D Standard is to include explanatory notes with each clause. These notes are distinctively highlighted so as not to confuse the reader, and provide a useful purpose statement for each clause.
TrustUK’s accreditation criteria (Core Principles for Online Codes of Practice, and Core Principles for Redress Mechanisms, Monitoring and Enforcement) are well-laid out and clearly identified. This is the longest and most complicated code of all examined (other than the formal Australian and BSI Standards), yet one of the easiest to navigate and understand. All sections are numbered, and ordered in a logical fashion.
The WebTrader Code is similar to the BBBCode insofar as it uses plain and concise language, but is even more brief and to-the-point on the topics it covers. Clear headings are provided for each subject area, and given the brevity of each, the lack of paragraph numbering is not a problem – this code is easy to navigate and understand. Unlike the BBBCode, however, WebTrader does not attempt to categorize its provisions other than into the 18 topics covered. Should this Code become any more detailed, such categorization would be useful. However, as the BBBCode example shows, categorization of rules comes at a price if not done properly and with appropriate cross-referencing.
VI. ADEQUACY OF BBBONLINE DRAFT CODE PROVISIONS
The BBBCode provisions on information disclosure are generally excellent, covering such key requirements as clarity, ease of understanding, conspicuousness, comprehensiveness, accuracy, and capability of being retained by the consumer. Unlike most other codes, the BBBCode includes provisions requiring disclosure in all pertinent languages, and disclosure of the entity that conducted the site’s compliance review. This latter requirement is particularly important where there is no requirement under the code for compliance assessment by a neutral third party. BBB also requires disclosure of the site’s policy on unsolicited commercial email, an increasing frustration for many online shoppers, and requires that all billing information be provided “in an easy-to-understand format so the consumer can determine to which transaction and which company the bill relates”. Unlike other Codes, BBBOnline’s also addresses the issue of ongoing subscriptions, requiring in such cases that the business provide consumers with “easy-to-understand subscription cancellation information…”.
Improvements, however, could be made in the following areas:
- the Code’s provisions on capability of retention by the consumer are not written in binding language. Unlike most other provisions, they use the term “should” rather than “shall”. It is not clear whether this is intentional or not, and if so, why it would not be a requirement of the Code that information “appear in a format that allows the consumer to maintain a record of it through printing or storing if the customer is properly equipped to do so”.
- the Code could state that information disclosed about the business must be sufficient for follow-up inquiries, dispute resolution and legal action (this is merely implied);
- the Code’s provision under “Information about goods and services offered online” does not clearly state that such information should be complete, but does go on to state that “Complete and accurate information means enough information so that a consumer understands the goods or services being offered through an online transaction”. It is possible that the word “complete” was unintentionally omitted from the first clause in this draft.
- the Code requires businesses to “disclose information about how consumers can make their transaction payments”, but does not require businesses to disclose relevant implications of different payment options, such as its credit card payment policy.
- businesses are not required to provide notice to the customer of potential additional charges beyond the control of the business, but material to the consumer’s purchasing decision. Instead, they are merely encouraged, “when possible and at a reasonable cost” to give such notice.
This is an area in which the BBBCode is clearly superior to all of the other codes examined. One of five Principles is devoted to this topic, and covers not only advertising standards, but also the covert use of technology to deceive consumers, affect consumers’ navigational choices, or deceptively draw consumers to certain websites. The potential for deceptive use of technology raises important issues in electronic commerce, which few consumers are likely aware of given the hidden nature of the practices. Businesses need to be told that such practices are unacceptable. The BBBCode gets high marks for its attention to these online consumer problems.
Misleading advertising is a significant problem for consumers both online and offline. As it has done offline, BBB addresses this issue in the online context, and does so more than adequately. Only the WebTrader and TrustUK codes provide similar levels of protection in this area, by incorporating relevant Codes administered by the Advertising Standards Authority in the UK. The OECD Guidelines provide more general directives on misleading advertising, while the Canadian Principles merely require that the terms and conditions of sale be clearly distinguished from marketing and promotional material or messages.
The Ziff-Davis Standard takes a different and much less rigorous approach to online advertising, requiring only that “In the merchant’s information centre, the merchant shall notify customers of its policy on accepting payments or other consideration from third parties for placement of any content related to the third parties’ products/services that is not clearly identifiable as advertising.”
Online Contract Formation/Cancellation
This is one area in which the BBBCode is inadequate, from the consumer perspective. Given the potential for keystroke or clicking errors, as well as for misunderstanding, in the online context, it is essential that online vendors confirm a consumer’s intent to transact before engaging the consumer in a binding transaction. Electronic commerce is still in its early stages; many consumers are still unfamiliar with the medium and may not appreciate the consequences of their online actions. Yet, the BBBCode does not appear to require business subscribers to take proper precautions in this respect. Instead, it merely encourages them (through the use of the term “should” instead of “shall”) to:
- provide the consumer with an opportunity to confirm her intent to enter into the online transaction,
- confirm key details of the order, and
- correct and modify the order.
Moreover, the BBBCode provides consumers with cancellation or refund rights only where “a delay in shipping occurs”. This is insufficient consumer protection in the online context.
A separate provision in the draft BBBCode, however, raises questions as to exactly what BBBOnline intends to provide in this respect. Under Principle 1, “Terms of the Online Transaction”, the Code states as follows:
“Upon consummation of a transaction by a consumer, online businesses shall provide the consumer with a confirmation notice of the transaction. Online businesses shall give notice that they provide this confirmation prior to the completion of a transaction.”
Needless to say, this provision is ambiguous both in its own wording, and in relation to the other permissive provision referred to above. Confirmation should be required both before and after the transaction is completed. Beforehand, the purpose is to ensure intentional contract formation; afterward, the purpose is to facilitate contract fulfilment and redress as necessary. The BBBCode requires clarification and modification in order to resolve this drafting problem.
Consumers must have an opportunity, before concluding the transaction, to, in the words of the OECD Guidelines, “identify and correct any errors or modify the order, express an informed and deliberate consent to the purchase, and retain a complete and accurate record of the transaction”. Moreover, as the OECD Guidelines state, “the consumer should be able to cancel the transaction before concluding the purchase”.
In keeping with the OECD Guidelines, the Canadian Principles require online vendors to “make clear what constitutes an offer, and what constitutes acceptance of an offer”, so as “to ensure that the consumer’s agreement to contract is fully informed and intentional”. They go on to require “in inadvertent sales transactions in which consumers acted reasonably, the vendor should allow the consumer a reasonable period of time to cancel the transaction once the consumer has become aware of it”. Even WebTrust requires “controls to provide reasonable assurance that positive acknowledgement is receive from the customer before the order is processed”, and Safengine (the Better Cyber Bureau) includes as one of its very few requirements that “some type of confirmation form” be used for all online transactions.
It should be noted that the BBBCode does require businesses offering subscriptions online to provide consumers with “an easy to use means to cancel an ongoing subscription, and timely confirmation of such cancellation”. We found this provision in no other code.
Contract Fulfilment/Return Policy
The BBBCode deals with contract fulfilment issues succinctly, by requiring that “online businesses shall comply with all commitments, representations, and other promises made to a consumer”. In addition, it requires confirmation of sales transactions either at the time of the transaction or immediately following via email. Such confirmation must include sufficient information for purchasers to obtain the status of the order, and must be capable of being printed by the consumer.
While not as detailed as some Codes in the area of contract fulfilment (e.g., WebTrust, Ziff-Davis), the BBBCode is more detailed than others (Canadian Principles, WebTrader).
However, the BBBCode does not set a high standard when it comes to return policies. As noted above under “Contract Formation/Cancellation, the BBBCode requires that businesses offer refunds where there is a delay in shipping. Otherwise, however, the Code does not require businesses to adopt any sort of return policy. Indeed, under the information disclosure provision on return policies, the Code states “If the business does not offer a return policy, it shall clearly disclose that fact.”. (In the section on dispute resolution, however, businesses are encouraged to consider refunds as one method of satisfying customers in the event of problems with the transaction.)
The BBBCode’s provisions in this respect are inadequate, and do not meet the standard set by other codes, such as WebTrader, which requires full refunds within 30 days where goods turn out to be faulty or different from those ordered, or the Canadian Principles, which require prompt refunds for unauthorized transactions, transactions in which the consumer did not receive what she paid for, and transactions in which the vendor failed to provide relevant information. The WebTrader Code also provides consumers with cancellation/refund rights where the price changes or where the business cannot deliver within the agreed time.
Consumer Privacy (Data Protection)
This is one area in which the BBBCode is clearly inadequate. As noted above in our examination of the comprehensiveness of the BBBCode, numerous important elements of effective data protection are missing. These gaps become most evident when the BBBCode is compared with the CSA Privacy Code (which forms the basis of Bill C-6, proposed federal legislation in Canada, as well as the privacy section of the Canadian Principles reviewed here), or the TrustUK privacy provisions, which appear to be based on a set of principles similar to the CSA Code. Both the TrustUK Code and the WebTrader Code require compliance with the UK Data Protection Act, the provisions of which we have not examined.
- consumers be given the opportunity to opt-out of have their personal information shared with a third party for future marketing purposes;
- notice be provided as to “what access consumers have to the information collected”;
- “mechanisms to correct inaccurate individually identifiable information” be established;
- business that collect personal information “state how they protect the quality and integrity of the information collected as well as the confidentiality of that information from unauthorized access”.
In addition, under its “Aim to Please!” principle, the BBBCode prohibits retention of consumer information without affirmative consent where the consumer does not consummate the transaction.
Two of these five requirements constitute information disclosure rules, rather than substantive privacy protection. Hence, the only clear, substantive, and binding privacy protection offered by the BBBCode involves opting-out of disclosures for marketing purposes, the correction of inaccurate information, and the retention of consumer information where the consumer does not complete the transaction. This is woefully inadequate.
In contrast, the CSA Privacy Code and the TrustUK privacy provisions set out a much more comprehensive list of privacy protections, including the following fundamental elements of fair information practices which are not even recommended in the BBBCode:
- limiting collection of personal information to that which is necessary for the purposes understood and consented to by the consumer;
- no use or disclosure of personal information without the informed consent of the individual;
- no unnecessary retention of personal information;
- measures to ensure the security of personal information held;
- personal information held must be accurate and where necessary, up-to-date;
- individuals must be provided, upon request, with reasonable access to their personal information held by the organization;
- incorrect information must be deleted or corrected promptly;
- individuals must be able to hold the organization accountable for privacy violations, and challenge its compliance with these policies through a fair and effective redress mechanism.
Even TRUSTe’s privacy code, which is also deficient when compared with the CSA Code, is superior to the BBBCode, insofar as it requires:
– key disclosures (rather than just recommending them, as BBB does),
– that consumers be given an opportunity to opt out of internal secondary uses as well as third party distribution for secondary purposes (not just marketing purposes),
– that appropriate security measures be taken to protect personal information;
– that appropriate measures be taken to ensure the accuracy, completeness and timeliness of personal information collected online and that users can verify that inaccuracies have been corrected.
Hence, the BBBCode fails to measure up to established standards in the area of privacy protection.
Out of interest, we also briefly examined BBBOnline’s Privacy Seal requirements, to see how they measure up to the standards established by other codes such as the CSA Privacy Code. While significantly stronger than the draft BBBCode, the BBBOnline Privacy Seal is still deficient in some key areas. Like the TRUSTe Code, it focuses on disclosures rather than on substantive consumer rights to privacy. Neither the collection, use nor disclosure of consumer information is adequately limited (e.g., to that consented to by the individual), and there is no rule restricting the retention of personal information to that which is necessary. However, the BBBOnline Privacy Seal, like TRUSTe, does require special privacy protections for children, along with a separate Children’s Privacy Seal.
The BBBCode provisions on security require that online businesses “use secure and encrypted channels for the maintenance and transfer of personally identifiable information such as a credit card number”, and “provide safeguards to ensure that any third parties involved in fulfilling a transaction maintain equal or superior security to that used by the business”.
Security provisions in other codes range from extremely basic (“The site must be secure for sending personal information”: WebTrader) to extremely detailed (BSI Information Security Management Standard, recommended by TrustUK). Most of the codes examined (Ziff-Davis, WebTrust, WebTrader, TRUSTe) require only that the business ensure the security of its own site and/or transmissions. However, like the BBBCode, the Canadian Principles and TrustUK Code explicitly address the need for all parties involved in the transaction to adopt appropriate security measures. BBB’s and TrustUK’s provisions in this respect are superior to those of the other codes insofar as they clearly place a responsibility on the business to ensure that third parties involved in the transaction adopt similar security safeguards.
Security of information collected is one aspect of privacy protection, addressed in most privacy policies, including that in the BBBCode. Transactional security involves measures to protect information in transmission, to ensure authenticity of the parties, and to ensure integrity of the transaction. Some codes address these concepts separately, while others treat them as a single issue. By taking the former approach, the BBBCode provides clearer and more specific direction to businesses; it recognizes that different measures will be needed to ensure different types of security (e.g., security of stored information from unauthorized access vs. security of credit card information in transit).
The overall issue of information security management is the subject of a British Standard, BS 7799-2, which specifies requirements for establishing, implementing and documenting information security management systems. This Standard is not limited in application to online businesses. An outline of it is provided in Appendix A. The controls described in this Standard are extremely detailed, addressing all aspects of a business operation, from management accountability and organization processes to systems development and maintenance. The Standard itself is far more lengthy and detailed than most of the general ecommerce codes examined in this study. While certainly desirable, it is unrealistic to expect businesses (especially small businesses) to adopt a standard of this nature as part of a general, mass-marketed ecommerce code.
It is interesting, however, that the TrustUK Code recommends use of the BSI Standard “as a basis for [the business’s] security standards”, and that both the TrustUK and WebTrust codes include a number of provisions on security which focus, like the BSI Standard, on internal business controls.
The Better Business Bureau emphasizes effective complaints resolution as an essential component of good business practices, and prides itself on its efforts to resolve customer disputes. It is therefore surprising that the BBBCode would be so deficient in the area of consumer redress. All that is required under the draft code is:
- “an easy-to-find and easy-to-understand notice of how a consumer can contract the business to resolve any dissatisfaction related to the transaction”
- “an effective internal consumer dispute resolution mechanism”;
- “good faith effort[s] to resolve any disputes…”; and
- “additional means to satisfy a consumer should the business’s internal consumer dispute resolution mechanism not result in customer satisfaction. Such additional means could include: money-back guarantees, third-party alternative dispute resolution, escrow services, chargeback mechanisms, or insurance policies….”
With respect, first, to internal complaints handling, the BBBCode is barely adequate. On one hand, it offers a concise summary of the overall requirement for an effective complaints handling process. On the other hand, it fails to provide sufficient detail on what constitutes an effective complaints handling process, leaving the question of what constitutes “effective” open to interpretation.
A similar approach to complaints handling (broad statements only) is taken by the Canadian Principles, the OECD Guidelines, and the TrustUK Code. In contrast, the WebTrader Code provides an unusual amount of detail on an effective complaints handling process, listing eight necessary components (fair, confidential, effective, easy to use and well publicized, speedy, informative, simple to understand and use, and checked, to see that it is working well), and linking the online reader to a UK government document providing more detailed guidance as to an effective complaints handling process.
The WebTrader Code comes closest to the standard established by the Australian Standard on Complaints Handling (AS/NZS 4269). This Standard is not specific to online businesses, but it is nevertheless entirely applicable. As described in Appendix A, the Australian Standard sets out thirteen “essential elements” of an effective complaints handling process, and expands on each. While it is arguable to what extent the BBBCode’s requirements for an “effective” mechanism and “good faith” efforts to resolve complaints meet the criteria set out in the Australian Standard, it is clear that many important elements of effective complaints handling have been overlooked in the BBBCode (as in most other codes).
For example, the BBBCode does not require that businesses respond to complaints in a timely fashion. Interestingly, this is one requirement that some otherwise even more deficient codes (Ziff-Davis; Better Cyber Bureau) do contain. Perhaps BBBOnline expected that the Code’s requirement for businesses to “respond, promptly and substantively, to the consumer’s questions” met this need. However, “complaints” are not necessary “questions”, and the two matters are in any case dealt with separately in the BBBCode. Nor does the BBBCode require that the complaints process be “easy to use”, as do both the TrustUK and WebTrader codes.
Dispute Resolution (post-complaint)
The BBBCode is even less adequate with respect to dispute resolution, once the internal complaints process has failed. It simply requires “additional means to satisfy a consumer”, leaving the determination of what those “additional means” are up to the business. BBBOnline explains this initial approach to dispute resolution by noting that there are many ways to resolve disputes, and that technological advances will likely provide others in the future. BBBOnline states in a Note that it “sought to make this paragraph performance based rather than force one option (ADR) on the business”.
The creators of TrustUK, the OECD Guidelines, the Canadian Principles, and TRUSTe, on the other hand, consider third party dispute resolution to be an integral element of effective consumer redress in the context of a code of online business practices. (WebTrader simply requires subscribing businesses to cooperate with Which? legal services, and neither the Ziff-Davis nor WebTrust codes address this issue.) Indeed, TrustUK’s accreditation criteria require that all unresolved complaints be referred to the Code owner for independent resolution – in other words, that the Code owner administer or oversee some kind of independent third party dispute resolution process. Given that BBBOnline already offers such a service under its “Reliability” seal (indeed, requires its Reliability seal holders to participate in it), it is odd that the Code would not make this process a central aspect of its redress provisions. Like BBBOnline’s Reliability seal program, both TRUSTe and the Better Cyber Bureau require subscribing businesses to engage in their dispute resolution processes as necessary, although the efficacy of these particular processes is questionable.
TrustUK also sets out, for Code owners, a list of criteria that their dispute resolution mechanisms must meet. According to TrustUK, redress mechanisms should be effective, free or low cost, independent, quick (with time limits for each stage), easy to use (clear rules), well-publicized, transparent (annual report to be published), and binding on subscribers. Both TrustUK and the Canadian Principles specifically state that use of the dispute resolution process must not remove the complainant’s right to take the matter to court. The Australian Complaints Handling Standard also lists criteria, albeit somewhat different, for an effective dispute resolution process (see Appendix A).
BBBOnline Reliability Seal Complaints and Dispute Resolution Rules
As noted above, BBBOnline has expressed an intention to incorporate the new Code of Online Business Practices into its existing Online Reliability Seal program. BBBOnline’s Reliability seal program requires that participants “have a satisfactory complaint handling record with the BBB”, “respond promptly to all consumer complaints”, and offer dispute resolution through the BBB or another provider that meets BBB criteria. Those criteria are:
- Full Disclosure (of types of disputes covered, contact information for the arbitration forum, fees, standards used as the basis for the decision, and legal implications of signing the arbitration clause);
- Requirement that the consumer separately sign the arbitration clause; and
- Fair and Impartial Resolution (independent and impartial administration, due process, reasonable costs, feedback to BBBOnline on case resolution).
While a vast improvement over the draft Code provisions, the Reliability Seal requirements still do not meet the highest standards of complaints handling and dispute resolution. Numerous requirements of an effective complaints handling mechanism are simply not addressed, and some of the key elements of effective dispute resolution are left unclear (e.g., low cost, ease of access and use, availability of information on past performance) in the criteria set out above. Thus, even in the context of the BBBOnline Reliability Seal Program, there is room for improvement in the area of consumer redress.
Unsolicited Commercial Email
The BBBCode’s provision on unsolicited commercial email (“UCE”) requires that subscribing businesses “provide an easy to use and understand “Do Not Contact” policy – a policy that enables those customers who do not wish to be contacted online to ‘opt out’ online from future solicitations”, and that the businesses “subscribe to a bona-fide email suppression list”. It is not clear what is meant by “email suppression list” – this needs to be clarified.
The “opt-out” approach taken by BBBOnline is common among those codes that address UCE (e.g., OECD Guidelines, WebTrader, TrustUK). TRUSTe, while not specifically addressing UCE, effectively does so via the requirement that consumers be able to opt out of “internal secondary uses”. The Canadian Principles do explicitly address UCE, but do not explicitly choose the opt out approach. They state instead that “Vendors should not transmit commercial email without the consent of consumers, or unless a vendor has an existing relationship with a consumer”. (It is not clear from this statement whether consent can be obtained implicitly via an “opt-out” approach.)
Alternative approaches to UCE are (a) to simply prohibit it, or (b) to require express, positive consent from the consumer (the “opt-in” approach). Interestingly, one of the few requirements of the Better Internet Bureau is that the business does not engage in “any mass distribution of email known as “spam” (the term “spam”, however, could be interpreted broadly or narrowly). TrustUK, while requiring consumer opt-out mechanisms, also prohibits outright the sending of “unsolicited commercial email which is random and untargeted” (one possible definition of “spam”). Given the increasing annoyance and cost imposed on consumers by such untargeted “spamming”, such a rule is appropriate and should be adopted by BBB and other codes.
While “opt in” approaches are preferable from the consumer perspective, “opt-out”approaches can work if applied rigorously and in good faith. It is important, for example, that consumers be made aware of their rights to refuse UCE, and of the method by which to exercise those rights. (The BBBCode requires the business to describe its UCE practices). It’s also important that UCE be clearly identifiable as such – a requirement found only in the TrustUK code, of all the codes examined.
The BBBCode provisions on UCE, while adequate and better than some other codes, are not in our view optimal. At a minimum, the existing provisions should be supplemented with an outright prohibition on random and untargeted UCE, as well as a requirement that all UCE be clearly identified as such. BBB could also encourage adoption of an “opt in” approach, as a best practice.
Protection of Children
Not all Codes address the special protections that are needed to avoid exploitation of children’s natural credulity, lack of experience and level of risk awareness. Of those reviewed, only the BBBCode, the TrustUK Code, TRUSTe, and the OECD Guidelines address the issue. Unlike the first three, which set out detailed rules, the OECD Guidelines merely state that “Businesses should take special care in advertising or marketing that is targeted to children, the elderly, the seriously ill, and others who may not have the capacity to fully understand the information with which they are presented”.
The BBBCode devotes an entire Principle to children, and requires subscribers to adhere to a separate Code of Practice on advertising to children (“Children’s Advertising Review Unit (CARU) Self Regulatory Guidelines for Children’s Advertising”). TRUSTe requires adherence to an additional set of requirements (“children’s seal requirements”), and display of a separate children’s seal, if the site is aimed at children under 13. TrustUK requires that accredited Codes include “specific requirements relating to the fair treatment of children”, and sets out six provisions that must be included. The TrustUK, TRUSTe, and BBBCode (CARU Code) provisions on children all include rules limiting the collection of information from children, and requiring verifiable parental consent. It should be noted that in the United States, recent passage of the Children’s Online Privacy Protection Act of 1998 establishes legal requirements in respect of such activities. The CARU Code also provides a lengthy and detailed set of rules regarding advertising directed at children.
The BBBCode therefore scores highly in the area of children’s protection.
Compliance Assessment and Oversight
A Code is meaningful only if the entities that claim to comply with it actually do so. Business self-declaration is insufficient particularly when it comes to reliability seals; independent third party compliance assessment is an essential component of any such scheme. This is recognized:
- by TrustUK in its accreditation criteria, under which Code owners are responsible for monitoring and enforcing their Codes, and under which TrustUK is responsible for monitoring Code owners and withdrawing accreditation as necessary;
- by TRUSTe, in its oversight and complaint resolution procedures; and
- by WebTrust, in its quarterly audit requirement.
All that the BBBCode requires, however, is that the entity that conducted the compliance assessment review be disclosed. In other words, businesses must state that they are declaring themselves to be compliant with the Code, if they choose not to obtain a third party compliance assessment. While such disclosure is essential where self-declaration is permitted, it is not at all clear that consumer misunderstanding will be thus averted, especially if self-declaration is accompanied by a mark indicating third party accreditation.
Assessing the BBBCode in the context of the BBBOnline Reliability Seal program, however, changes the results. Under the Reliability seal program, BBBOnline is the entity responsible for compliance assessment. It monitors the subscriber’s complaint handling and dispute resolution record, and has the power to revoke the seal where a subscriber does not satisfactorily comply. It does not, however, engage in audits (like WebTrust), “seeding” (like TRUSTe), or monitoring of subscribers’ business practices (as required by TrustUK); compliance assessment is purely complaints based. In this respect, the BBB approach to compliance assessment may be seen to be lacking.
TrustUK requires that Code owners “have in place an effective system to enforce the provisions of the Code of Practice to ensure compliance with it”, which system must include:
- monitoring of subscribers’ compliance with the Code;
- “effective and meaningful sanctions”;
- “a commitment from the subscriber to comply with the Code and an undertaking from them to take appropriate action to amend procedures to bring them in line with the Code at the request of the Code owner…”
- “the ability to terminate membership of or involvement with the Code owner…where the subscriber fails to take action to ensure compliance with the Code or is found to be seriously or consistently in breach of the Code”.
In addition, TrustUK requires that Code owners report quarterly to TrustUK on the compliance of their subscribers/members with their Code of Practice.
For its part, TRUSTe conducts periodic reviews of member sites, and periodically “seeds” member sites (submits personal information online) to verify that the site is following its stated privacy policies. When and where it deems appropriate (e.g., where violations are found or suspected), TRUSTe may also require an on-site compliance review by an independent auditing firm. Where licensees fail to correct problems, TRUSTe may revoke the trustmark. However, the criteria for revocation are left unclear, such that revocation decisions are left entirely within the discretion of TRUSTe.
The WebTrust seal program is all about compliance assessment. Entities are permitted to continue displaying the WebTrust seal only if the “assurance examination” is updated on a regular basis, which shall in no case be less than quarterly, and if the entity gives notice of any significant and relevant changes in its business policies, practices, processes and controls during the interval between compliance assessments.
The BBBOnline draft Code of Online Business Practices receives a mixed review when measured against emerging standards as well as other existing codes. It is strong in some respects but weak in others. The Code is particularly strong in the areas of information disclosure, misleading and deceptive practices, and the protection of children. It is particularly weak in the areas of consumer privacy and redress. Depending on how each of these components is valued, the BBBCode may be considered adequate or inadequate. It is certainly superior to many other codes and seal programs currently offered in the marketplace, but remains deficient in some key respects. It is hoped that the worst of these deficiencies, at least, will be corrected before the draft Code is finalized and put into practice.
When assessed as part of the BBBOnline Reliability Seal program, the redress and compliance aspects of the draft Code are substantially strengthened, but still don’t meet the highest standards of complaints handling, dispute resolution, and compliance assessment.
OUTLINE OF SELECTED CODES AND STANDARDS
BBBOnline draft Code of Online Business Practices
– speaks to online merchants only
– logo provided to approved members; may be withdrawn if non-compliance
– links to other Code (re: Children’s Advert)